- within Employment and HR, Intellectual Property, Litigation and Mediation & Arbitration topic(s)
- with Inhouse Counsel
- in United States
- with readers working within the Consumer Industries industries
On July 13, 2026, the US Department of Defense (“DoD”), also known as the Department of War, announced that it was immediately suspending Phase II of the Department’s rollout of the Cybersecurity Maturity Model Certification (“CMMC”) program, which phase was to come into effect on November 10, 2026. This announcement, accompanied by memoranda to senior Pentagon leadership, represents a potentially seismic shift in DoD’s position with respect to the regulation of defense contractors’ cybersecurity posture.
As noted in a prior Butzel Client Alert, CMMC is a verification framework used by the US government to assess a contractor’s cybersecurity protections in order to protect sensitive government information, specifically Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”), from cyber threats. Phase I, which took effect on November 10, 2025, introduced CMMC Level 1 and Level 2 self-assessments as a condition of award for new contracts that included CMMC level requirements. Phase II was to require, as condition of award in certain solicitations, an assessment by an authorized CMMC Third-Party Assessment Organization (“C3PAO”).
As Butzel had previously reported, in the months following the rollout of CMMC, concerns had been raised by both government and industry about, among other things, the potential compliance costs incurred by contractors in meeting CMMC requirements. As DoD noted in announcing the suspension: “While the current CMMC program was designed to enhance DIB cybersecurity, instead it has created prohibitive compliance costs and bureaucratic burdens. Recent data, including reports from the Small Business Administration ("SBA"), confirmed that CMMC compliance is forcing innovative companies out of the Defense Industrial Base ("DIB") which will delay the delivery of critical capabilities to the warfighters.”
Accordingly, DoD announced the suspension of the transition to Phase II requirements, along with all pending and future CMMC implementation milestones, and initiated a 60-day study of the future of the CMMC program. Additionally, the Department is establishing a CMMC Reform Task Force to conduct a comprehensive review of the CMMC program, including the solicitation of industry feedback in response to a Request for Information (“RFI”) regarding contractor compliance hurdles. The Task Force is to deliver a report to the DoD Chief Information Office ("CIO") within 60 days.
Notably, during the suspension, DoD will continue to enforce compliance with all Phase I self-assessment requirements, which “remain firmly in place.” Additionally, the Department made clear that all defense contractors and subcontractors remain contractually required to safeguard CUI in accordance with Defense Federal Acquisition Regulation Supplement ("DFARS") 252.204-7012, which requires adherence to National Institute of Standards and Technology ("NIST") SP 800-171, for contractors storing or handling CUI during contract performance.
Key Takeaways
- Phase II implementation is suspended indefinitely. DoD will not proceed with the November 2026 transition requiring CMMC Level 2 C3PAO certifications.
- CMMC Level 1 and Level 2 self-assessments remain in effect. Contractors must continue to demonstrate compliance through self-assessment mechanisms.
- NIST SP 800-171 compliance remains a baseline requirement. The suspension does not eliminate cybersecurity obligations applicable to contractors handling CUI.
- DFARS 252.204-7012 remains fully effective. Contractors must continue safeguarding covered defense information and complying with cyber incident reporting requirements.
- DoD is creating a “CMMC Reform Task Force” to conduct a sixty (60) day review of the program and recommend alternatives intended to reduce barriers to participation in the DIB.
Accordingly, while defense contractors and subcontractors should monitor the aforementioned developments carefully, including looking for the opportunity to provide feedback to the CMMC Reform Task Force, they must also continue to remain compliant with existing cybersecurity compliance obligation, which will continue to remain in effect.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]